All you should have to do is define your remote logging options under system and define your inputs on Splunk. The F5 will automagically send anything that is standard syslog to that remote address. For ASM/APM you can collect data using High Speed Logging (HSL) or AVR and configure the publishers/destinations for each. Configure a pool(s) that has your indexer/port defined as a member or you could even create a VIP to handle load balancing between indexers if you wanted and your AVR/HSL destination could be a pool with the VIP address as its member.
just to recap this conversation which you've started some times ago, I am getting problems in get Splunk fully functional after follow the steps part of the pdf file which came with the app's package. The field attack_type, used in many queries of the first app menu's group, is presenting, I imagine, wrong data. it is presenting graphs with symbols as commas, double quotes and single quotes. I will count on your help so as to understand whether it is a problem or not...could you give me a hand on that? Thanks a lot and looking forward to hearing from you.
I am having the same issue. Latest splunk, latest f5 app and it fails to work as the data is in quotes?
Make sure the logging profile is using a Remote Storage Type of Reporting Server.
Here's an article that might help:
I'll also take a look on my lab setup to see if I can figure out the exact details for ASM and Splunk configuration.
So it doesn't seem possible to have all contents of /var/log/asm sent to splunk, similar to how /var/log/ltm and /var/log/audit get sent to splunk by default?